[apparmor] deny and selectively allow in AppArmor?
John Johansen
john.johansen at canonical.com
Thu Aug 6 16:28:36 UTC 2020
On 8/6/20 2:05 AM, Jonas Große Sundrup wrote:
> Hi,
>
> I'm currently playing around with AppArmor to confine some of my daily
> software a bit, and it looks pretty promising.
>
> However, there is one thing I'd like to achieve but haven't so far:
>
> I would like to generally disallow acces to the owner's home-directory,
> but then selectively allow certain paths in it, for example firefox may
> rmwx ~/.mozilla and subfiles/folders and write things into my
> downloads-folder, but should not have
> access to anything else.
>
> So I'd like to do something like
>
> deny owner @{HOME},
> owner @{HOME}/.mozilla rwmx,
> # ... other selective whitelistings
>
> Unfortunately, this doesn't work, because (if I remember
> the documentation correctly) deny-directives are subtracted from the
> allowed set after everything else was applied, so the deny-directive
> above would effectively overwrite the allow-directive.
correct
>
> A solution is to explicitly list any paths besides ~/.mozilla for deny,
> but that is quite cumbersome and error-prone if one would like to
> achieve a tight security net as well as creating a very extensive
> profile directory, as every file and directory not allowed has to be
> listed explicitly.
>
yep this is a pita
> The other idea I had of instead of specifying deny-directives
> specifying positive directions also fails as I have to provide at least
> one mode, so either rwm or x would be allowed, which is also not what I
> want to achieve.
>
> I have tried doing it with regexes, but that hasn't been successful
> either, but it might be that I got the syntax wrong.
>
> So is there any way how to solve this in apparmor?
>
apparmor is default deny, so if you don't allow access in the profile,
then it won't have access. This is effectively your deny directive
above but without explicitly listing what is denied.
Atm you need to be careful with deny rules, as there is no way to add
permissions back in once taken away.
Unfortunately this may mean you need to avoid using some or all of
the abstractions because they can be overly broad. This is a known
problem, and there has been some work done to extend the language
to make it more flexible, but its not available yet.
More information about the AppArmor
mailing list